Have one application use VPN while others do not in Linux?

I want one application to use a VPN connection while others do not.

I'm using Xubuntu (thus XFCE) but I'd like a command line / static configuration solution if it's possible.

Is it possible to accomplish it, and if so how?


Solution 1:

Once I wanted to do this and I ran the application in a virtual machine (I like VirtualBox) and configured the guest OS instance so all its traffic was entirely VPN-routed. Arguably rather overkill, but it means you worry a lot less about whether all the app's (and anything it's spawned) packets are actually being routed as you wanted. Modern VM's seamless windows and shared folder capabilities mean using the app in a VM can be fairly painless too.

Solution 2:

The easiest way would be to use a VPN that can expose itself as a SOCKS server, then any of the socks wrapping tools (eg, tsocks) could do that.

Otherwise iptables could be made to do it by using packet marking then using that for path selection.

If it's just to one specific destination that's easily accomplished by having the VPN only add the relevent route for that and no other.

Of course if its just one app I'd be trying to make it use SSL so no VPN is needed at all.

Solution 3:

If the application you need to use is only connecting to a specific address (ie: an RDP session to a work machine), you could use the routing table to force the destination of that traffic to go over the VPN link, or use iptables as suggested.

Solution 4:

You can try playing with iptables owner module if you can make the application in question run as a particular user (man iptables, search for owner and think of what you can do starting from that, I do not have ready solution, neither I remember syntax beyond that it uses --uid-owner command line option).

The solution proposed by timday (have the application running in the guest instance with openvz, xen or virtualbox) should also work, but if you can go for it, you probably can restrict the process in question to a particular user.